PCI DSS Requirement 12.8 seems to be a source of confusion for lots of folks in the industry.

"What's a service provider?"

"What counts as sharing credit card data?"

etc.

This example, from a totally different industry, really helps illustrate the intent behind requirement 12.8. That intent being, make sure the people who help you store, transmit, or process cardholder data don't mess up. That includes people helping you manage your systems, host your systems, or monitor your IDS...